It may “take two to tango,” but it takes 27,000 sanctions violations to dance with the Treasury Department’s Office of Foreign Assets Control (OFAC). Last month, Tango Card, Inc. agreed to pay $116,000 to settle these violations. This case serves as an important reminder for any ecommerce business.
How a gift card company got in trouble
Tango supplies and distributes rewards cards. The company’s focus is on making rewards and incentive programs easy for employers and businesses. Often this is in the form of an e-gift card that can be distributed to a recipient. The recipient then accesses the card online and redeems it for any number of merchants, including dining/entertainment, retailers, travel services, online stores and more. The rewards can be used to make subsequent purchases at these merchants – either in-person or through their website.
According to OFAC, in February 2021, one of Tango’s clients discovered that some recipient email addresses had Top Line Domains (TLDs) from sanctioned countries. (A TLD is a two-letter domain established for countries. For example: “.ir” for Iran and “.cu” for Cuba, etc.) These TLDs triggered Tango to conduct an internal investigation of its prior email database. The investigation revealed that Tango had sent recipients rewards (issued by Tango) to email accounts with IP addresses located in sanctioned jurisdictions. Altogether, from September 2016 to September 2021, Tango sent 27,720 gift cards or promotional debit cards to IP addresses in Cuba, Iran, Syria, North Korea, or the Crimea region of Ukraine. The total value of these e-cards was about $386,000.
OFAC administers and enforces sanctions programs that prohibit U.S. Persons from providing goods and services to these (and other) jurisdictions. Tango is a Seattle-based company and, therefore, a “U.S. Person” under the regulations.
The compliance gap that caused it all
Uncovering violations within your organization is one thing but figuring out exactly how these occurred is the key. Identifying the root cause is the only way to implement appropriate corrective actions to prevent the violation from happening again. In Tango’s case, the company had already:
- Implemented geolocation tools to identify transactions from countries with a high-risk of fraud; and
- Developed OFAC screening for its direct customers.
So, how did this happen you might ask? According to OFAC, while Tango was appropriately screening its direct customers, the company had no mechanisms in place to identify if recipients (not senders) might be from sanctioned countries. This gap is what ultimately led to the apparent violations.
Following this discovery, Tango implemented further geo-blocking of IP addresses and emails, as well as other compliance improvements as described below.
Calculating the cost
OFAC determined that the maximum penalty in this case could have been a whopping $9.2 billion. Some of the factors leading to such a high amount were:
- Tango had risk-based geolocation tools available but failed to implement them (despite knowing that some reward recipients were from sanctioned jurisdictions).
- The company ultimately conveyed more than $386,000 in economic benefit to sanctioned countries and regions. This, of course, goes directly against OFAC’s rules and the reasons these sanctions exist.
Despite these mistakes and the potential huge penalty, Tango ultimately settled for $116,000 – a mere fraction of the maximum. Once it realized these mistakes, Tango made several smart moves to help mitigate its risk. These include:
- Implementing geo-blocking to TLDs
- Updating its IP address geo-blocking to prevent reward redemptions by people in sanctioned jurisdictions
- Acquiring additional screening tools
- Training its team who handles bulk spreadsheet orders on how to properly screen for email addresses and mitigate risk
- Hiring a consultant to assess its risk and overall security of its cloud program
- Hiring additional staff to proactively identify gaps and implement new compliance measures
- Began running monthly “lookback” reports to identify TLDs or IP addresses from sanctioned jurisdictions
Also worth noting: the company voluntarily disclosed the violations to OFAC, cooperated fully with requests for documents and numerous follow-up questions and entered into a tolling agreement. Due to these actions, Tango ultimately received a penalty that was far less than the maximum.
This settlement should serve as a warning – not to mention an excellent case study – for any business involved in ecommerce. Selling goods and services online does not alleviate anyone from complying with the sanctions, as OFAC clearly spells out in its press release. It’s also worth noting the following from OFAC’s announcement:
In addition, while contractually obligating customers to comply with sanctions regulations can help mitigate risk, it does not obviate the need to impose other sanctions compliance controls when appropriate on a risk basis.
This means that burying compliance requirements in your terms and conditions may not be enough to protect your company from harm. OFAC expects you to do more.
Need help improving your sanctions compliance? Our team of experts has helped hundreds of companies of all sizes. Schedule a no-charge consultation today.
Tom Reynolds is the Vice President of Operations for Export Solutions, a consultancy firm which specializes in helping companies with import/export compliance.